For the first 72 hours after a hospital institutes its disaster protocol for the COVID-19 emergency, HIPAA sanctions and penalties will be waived for:
- Failure to obtain a patient’s agreement to speak with family/friends involved in the patient’s care
- Failure to honor a request to opt out of the facility directory
- Failure to distribute a Notice of Privacy Practices
- Failure to permit patients to request privacy restrictions or to comply with requested restrictions
- Failure to permit patients to request confidential communications or to comply with requested restrictions
For the duration of the COVID-19 emergency and until OCR issues a notice that it is no longer exercising enforcement discretion, HIPAA sanctions and penalties will be waived for:
- The good faith provision of telehealth for any patient condition using non-public facing video chat applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, or Skype.[i]
- OCR encourages providers to (1) notify patients that these third-party applications potentially introduce privacy risks, and (2) enable all available encryption and privacy modes when using such applications.
- Public facing remote communication products such as Facebook Live, Twitch, and TikTok, or chat rooms like Slack, should not be used in the provision of telehealth by covered health care providers.
- Examples of “bad faith” provision of telehealth services where HIPAA violations would not be waived include:
- Conduct/furtherance of a criminal act, e.g. fraud, identity theft, or intentional invasion of privacy
- Impermissible uses/disclosures of PHI obtained through telehealth visit (e.g., sale of PHI, marketing without authorization)
- Violation of state licensing laws/professional ethical standards in provision of telehealth services
- The failure to have a BAA in place with vendors of such applications.
- A business associate’s[ii] use and disclosure of PHI to public health and emergency oversight authorities, or its performance of data analytics using PHI for disclosure to such officials, where its business associate agreements with covered entities do not specifically permit such uses and disclosures, if the business associate:
- Makes the use or disclosure in good faith for purposes of public health or health oversight activities as described in the Privacy Rule;
- Informs the covered entity or covered entities within 10 days after the use or disclosure occurs or commences; and
- Complies with other applicable HIPAA requirements, including securely transmitting the PHI to the applicable authorities.
HHS and OCR emphasize in all of these guidance documents that except where required by law or for treatment disclosures, entities must make reasonable efforts to adhere to the minimum necessary standard.
HHS and OCR also offer guidance on permissible releases of PHI to:
- Family members and friends
- The media
- Emergency responders
- Public health officials
- Disaster relief organizations
- Correctional institutions and law enforcement
- Persons available to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety
[i] OCR mentions that texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, and iMessage also are secure, but these applications presumably can’t be used for telehealth with the possible exception of store-and-forward visits (e.g., picture of rash).
[ii] OCR notes that it also will refrain from exercising enforcement discretion against covered entities under these circumstances.